Streamlining LOLDrivers Contributions Via Streamlit

Nasreddine Bencherchali
magicswordio
Published in
3 min readNov 10, 2023

--

Since its inception last year the LOLDrivers project has seen mass adoption through out the community, from users to vendors and all in between.

With the simple but powerful mission to shine a light on the obscure topic that is living of the land drivers abuse. Our aim was always to make the information accessible and actionable.

A couple of months my esteemed colleague and maintainer here at LOLDriver Michael Haag secretly announced the LOLDriver streamlit app in Splunk’s Coffee Talk with SURGe.

This app aims to help contributors and maintainers alike to ease the process of adding new drivers and YAML descriptors.

Today we’re happy to announce a couple new features that make this process even easier and welcome hopefully more contributors.

Let’s get started.

Uploading Your Driver

The first new update is probably the coolest quality of life that was added. It streamlines the contribution process completely by allowing users to upload a driver and enriching the YAML with all its juicy metadata on the fly with the click of a button.

New LOLDriver App Upload Feature

In the background this uses the same enrichment script that’s used internally by the LOLDrivers repository. It collects all the info that’s required and by the end you’re left with a YAML that’s ready to be submitted in a PR :)

Enriched YAML Output

Download Drivers Via VT

The second feature is even more streamlined and it doesn’t even require you to have the driver downloaded.

Say you reading a report and that report happens to be talking about some driver abuse, such as the “AuKill” EDR killer malware reported by sophos

https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/

This malware leverage a vulnerable process explorer driver and if we scroll down to the IOC list we can get a its hash.

cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc

With a simple VT search we can find the file there.

https://www.virustotal.com/gui/file/cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc

If you wanna contribute the file to LOLDrivers. The traditional approach would be

  • Download the file
  • Create YAML
  • Execute enrichment script on it
  • Submit PR

That’s a little bit too long for some, including us at LOLDrivers HQ. Using the new streamlit app feature, you’ll only need to provide your API key and a list of hashes and the magic is applied for you.

That’s Not a Valid API Key.

Conclusion

Hope this new features raised your excitement as it did for us and we hope to see even more contributions for the community.

Happy hunting ⚔️

--

--

Nasreddine Bencherchali
magicswordio

I write about #Detection and #WindowsInternals. Follow https://github.com/nasbench/Misc-Research fore interesting Windows tidbits