LOLDrivers 2.0: Pioneering Progress
Introducing LOLDrivers 2.0: A significant milestone that refines the user experience and expands upon our comprehensive threat detection capabilities. The landing page is now more accessible with the addition of categories and individual download buttons for each hash, and despite a brief hiatus, the search function is back by popular demand. Notably, we’ve integrated Florian Roth’s innovative Yara Generator, an exciting development that allows for the creation of dynamic yara rules with every merge. It efficiently processes input samples, extracts ‘VersionInfo’ from the driver’s PE headers, and generates highly versatile YARA rules. With this enhancement, the detection of even the most cleverly concealed drivers has never been more achievable.
Aiming to broaden our database, we delved into the Microsoft Driver block list and are thrilled to introduce an impressive roster of 750+ new drivers, achieved with a combination of ingenuity, diligence, and yes, plenty of coffee. Furthermore, LOLDrivers 2.0 now supports WDAC policies on the fly, CVE enrichment for pages with known CVEs, Sysmon 15 updates, Sigma Rule changes, and Yara for efficient detections and preventions.
Our VirusTotal collections are growing, encompassing both LOLDrivers and Revoked Bootloaders (more on this project next time!). There’s also a PowerShell Scanner and a range of variations to explore.
Check it all out here: LOLDrivers.io !
Community Contributions
To those that contributed or assisted us for 2.0 — Thank you!
- goosvorbook
- HotCakeX
- Sanesecurity
- wdormann
- Viralmaniar
- h4x5p4c3
- Whanos
- olafhartong
- Neo23x0
- zwclose
- Harvester57
- Yarden Shafir
- xalicex
Updated Landing Page
- added categories
- download button for each individual hash
- Removed Search
- Re-added Search
Yara Generator
The Yara Generator, courtesy of Florian Roth, offers an innovative way to generate Yara rules on the fly. With each merge, we can now enrich the yaml file with a Yara rule. This generator processes the input samples and extracts specific ‘VersionInfo’ values from the driver’s PE headers, such as the company name, file version, product version, and description. It then creates YARA rules that detect these specific values even if they’re embedded in another file or loaded into memory.
How does it work?
The generator processes the input samples and extract specific ‘VersionInfo’ values from the driver’s PE headers. This includes e.g., the company name, file version, product version, description and other values. It then creates YARA rules that look for these specific values and uses a condition that’s very permissive (all of them). This allows us to detect the drivers even if they are embedded in another file or loaded into memory.
Check it out here for more details.
750+ New Drivers
In an effort to expand our database, we dug into the Microsoft Driver block list and are excited to announce the addition of more than 750 new drivers. This substantial update was made possible through a combination of hard work, creativity, and yes, an abundance of coffee.
This is a massive add. It may not seem like pages were added (although many were) but the depth of many prior yaml’s were extended. We’re talking, a yaml going from 200 lines to over 2000 lines. HUGE.
Not everything is perfect — there is a lot of data here that we are still working to perfect. If you find something incorrect — please open a PR/Issue and we’ll get it cleaned up. A single reference was used in some cases, but in reality many are first party found via hunting on VT. Everything should be aligned with the Microsoft blocklist, but we may have found some more along the way. References will be updated as we go through them.
ClamAV
Our first add to the AV industry, we now produce a fresh ClamAV hash database every PR.
Get it here: https://github.com/magicsword-io/LOLDrivers/tree/main/detections/av
Thank you Sanesecurity for the feedback!
WDAC on the fly
We created a self hosted runner with Git Actions to produce a WDAC policy for this release. We will provide a deny WDAC policy of ALL the drivers every release. Test it out in a lab, it is most likely not production ready.
NOTE: We are not able to offer support on this, this is provided freely without support. If you brick a system — revert!
We want to thank everyone who assisted with showcasing this can be done.
If you are looking to merge this config with another, check out this thread here with Harvesterify.
StreamLit Update
We recently upgraded our StreamLit site to generate the GUID/ID needed on the fly, which simplifies the PR process. Visit our updated site:
https://loldrivers.streamlit.app/
CVE Enrichment
We expanded the schema to include a cve: tag and include it on the pages that have a known CVE. We will do our best to maintain it.
Enrichment
New adds to enrichment including:
- TBS Hashes
- RichPEHeader hashes
The enrichment is very rich (:badpundog:) now, we recommend reviewing it. The JSON file is over 11mb with all this data.
Detections — Prevention
Yara button, Sysmon and Sigma Rule — OH MY
We now provide a dropdown for each item we produce for every driver we have.
Speaking of Sysmon — Olaf Hartong kindly committed back the new Sysmon 15 FileExecutableDetected to the project here and the config will generate upon each PR.
VirusTotal Collections
We have created a collection of all the drivers involved in the project. This might be the most comprehensive list available.
LOLDriver Scanners
We saw lots of scanners go by!
some variations —
https://gist.github.com/gioxx/c487cc5036241b7b5e7e0905b7f2d348
https://twitter.com/jsecurity101/status/1684254154288517121?s=20
Microsoft Testing
Yarden Shafir shared some analysis back in May regarding which drivers still load. At the time, 170 of them were able to load with the latest HVCI driver blocklist.
The gist is here: https://gist.github.com/yardenshafir/048a957e7e52978b32e43a7e4e1e72bb
Milestones
we hit our LFS limit — https://twitter.com/wdormann/status/1661006812932628480?s=20
Honerable Mentions out there
- https://www.binarydefense.com/resources/blog/threadsleeper-suspending-threads-via-gmer64-driver/
- https://www.bleepingcomputer.com/news/security/terminator-antivirus-killer-is-a-vulnerable-windows-driver-in-disguise/
SpyBoy — https://twitter.com/S0ufi4n3/status/1663059373352943616 - https://github.com/ZeroMemoryEx/Terminator
- https://github.com/mertdas/SharpTerminator
- https://github.com/ZeroMemoryEx/Overlord
- https://github.com/Helixo32/NimBlackout
- https://ioctl.fail/echo-ac-writeup/
Neat shares:
- https://twitter.com/0gtweet/status/1666461106104090629?s=20
- https://twitter.com/xorjosh/status/1665338153849311232?s=46&t=-dkNDSDHEzyAagaVN0SDgA
Looking Ahead
We want to help and share more. To that end, we’ve created a Premium option, mainly to generate interest.
The core idea is, we can provide a specific WDAC policy of known LOLDrivers that still load. We can help with rapid response, SIEM integration and much more. If you are interested, please let us know here.
We also want to acknowledge this thread:
We’ve started on adding to the schema to expand on known vulnerable drivers being abused in the wild now. Think of it as a Release 2.1 :)
LOLDrivers 3.0 — “Prove it” edition
As we look ahead, our goal for LOLDrivers 3.0 is to demonstrate how a driver is vulnerable. This ambitious project will involve significant work as the methodology for reversing and finding functions is complex. The release of 3.0 won’t happen overnight. But rest assured, this extensive release will incorporate both dynamic and static validation and automation, making it worth the wait.
Feedback
We rely on you, the community, for feedback! If you have questions, comments, requests — please do not hesitate to reach out!
Thank you all for a great release!
