DriverScope
Automated BYOVD hunting pipeline. Scans Windows kernel drivers for dangerous imports, extracts IOCTL dispatch surfaces, cross-references against LOLDrivers / MS Blocklist / KDU, and surfaces novel zero-day candidates not yet in any public database.
Python 3.10+, Windows. MIT-licensed.
Install
pip install git+https://github.com/diabloidyobane/DriverScope.git
pip install capstone # optional, better IOCTL extraction
pip install speakeasy-emulator # optional, driver emulation via Speakeasy
Quick start
# scan your system drivers
driverscope scan C:\Windows\System32\drivers --lol --ioctl
# full zero-day hunt
driverscope hunt --deep --export findings.json
# extract IOCTLs from a specific driver
driverscope ioctl suspicious.sys --json
Live PoC
Actual output from C:\Windows\System32\drivers on a Windows 11 host:
$ driverscope scan C:\Windows\System32\drivers
SCAN RESULTS: 423 flagged / 463 total (40 clean)
dxgkrnl.sys 14 x64 YES PhysMem-Map, MSR, PCI-Config, Token-Priv +10
cldflt.sys 10 x64 CrossProc-Attach, PhysMem-Map, Process-Lookup +7
storport.sys 10 x64 YES PhysMem-Map, PhysMem-Section, MDL +7
acpi.sys 9 x64 YES MSR, PCI-Config, PhysMem-Map +6
ntfs.sys 9 x64 YES PhysMem-Map, PhysMem-Unmap, Token-Priv +6
tcpip.sys 9 x64 YES Callback-Bypass, CrossProc-Attach +7
... 417 more
$ driverscope ioctl bam.sys
bam.sys
SHA256: dcf689b7...a5e314c3
Method: capstone
Dispatcher RVA: 0x11920
IOCTLs found: 2
0x00000004 METHOD_BUFFERED
-> IoThreadToProcess
0x00000003 METHOD_NEITHER
-> ExAcquirePushLockExclusiveEx
-> KeEnterCriticalRegion
$ driverscope ioctl acpi.sys
acpi.sys
Method: brute
IOCTLs found: 34
0xfffc4e95 METHOD_IN_DIRECT
0xfffc4e94 METHOD_BUFFERED
0xfffc4eb3 METHOD_NEITHER
0xfffc4ca2 METHOD_OUT_DIRECT
... 30 more
18 Primitive Classes
Every flagged import maps to a kernel primitive that BYOVD attacks exploit:
| Class | Example Import |
|---|---|
| PhysMem-Map | MmMapIoSpace |
| PhysMem-Unmap | MmUnmapIoSpace |
| PhysMem-Section | ZwMapViewOfSection |
| PhysMem-Copy | MmCopyMemory |
| CrossProc-VA | ZwReadVirtualMemory |
| CrossProc-Attach | KeStackAttachProcess |
| Process-Lookup | PsLookupProcessByPid |
| CR-Regs | __readcr0, __writecr0 |
| MSR | __readmsr, __writemsr |
| Debug-Regs | __readdr |
| KernelAlloc | ExAllocatePoolWithTag |
| KernelExec | MmAllocateContiguous |
| I/O-Port | READ_PORT_UCHAR |
| PCI-Config | HalGetBusData |
| Interrupt | HalSetSystemInformation |
| Registry | ZwSetValueKey |
| Token-Priv | SePrivilegeCheck |
| Callback-Bypass | CmUnRegisterCallback |
Subcommands
| Command | What it does |
|---|---|
scan |
Scan .sys files for dangerous kernel imports |
ioctl |
Extract IOCTL dispatch surface from a driver |
emulate |
Speakeasy emulation: trace DriverEntry, extract device names, PDB paths, debug strings |
hunt |
Full-system zero-day hunting pipeline |
harvest |
Download OEM tools and extract embedded drivers |
regional |
Search LOLDrivers by regional vendor (CN/KR/JP/TW/RU) |
wdm |
Filter for WDM drivers with physmem primitives |
bulk |
Bulk-scrape vendor download portals via Playwright |
triage |
Bulk Claude API triage of scan/ioctl findings |
All options
driverscope scan driver.sys # scan one file
driverscope scan C:\drivers --lol --blocklist # scan dir + cross-ref
driverscope scan C:\drivers --ioctl # scan + extract IOCTLs
driverscope scan C:\drivers --ioctl --json # full JSON output
driverscope scan C:\drivers --export out.json # write results to file
driverscope hunt # zero-day hunt (System32\drivers)
driverscope hunt --deep --export hits.json # include DriverStore + Program Files
driverscope ioctl driver.sys # extract IOCTL codes (single file)
driverscope ioctl C:\drivers --hits-only # batch directory, skip empty
driverscope emulate driver.sys # trace DriverEntry via Speakeasy
driverscope emulate C:\drivers --json # batch emulate a directory
driverscope harvest --output ./harvested --scan # download OEM tools, extract + scan
driverscope regional --region CN,JP # LOLDrivers by vendor region
driverscope wdm C:\drivers # WDM-only physmem filter
Bulk vendor scraping
The bulk subcommand uses Playwright to scrape vendor download portals at scale. 55 vendors across 10 regions: TW, HK, CN, KR, JP, RU, DE, US, IN, and multi-vendor global archives. Use it to build a corpus of vendor-signed drivers far outside what's already in LOLDrivers.
| Region | Vendors |
|---|---|
| TW (10) | MSI, ASRock, Gigabyte, Asus, Acer, Biostar, ECS, Realtek, Foxconn-TW, PowerColor |
| HK (2) | ZOTAC, Sapphire |
| CN (10) | Lenovo, Huawei, Xiaomi, Colorful, Yeston, Galax, Onda, Foxconn-CN, ZTE, MAXSUN |
| KR (3) | Samsung, LG, GIGABYTE-KR |
| JP (7) | Buffalo, IO-Data, Elecom, Logitec-JP, Sony, NEC, Panasonic |
| RU (5) | DriverPack, Driver.ru, DRP-Catalog, 4PDA, Yandex |
| DE (4) | BeQuiet, Endorfy, Fujitsu, Medion |
| US (7) | EVGA, XFX, Dell, HP, Intel-DSA, AMD, Nvidia |
| IN (1) | iBall |
| global (6) | Station-Drivers, MS Update Catalog, DriverGuide, TechSpot, CNET, MajorGeeks |
pip install driverscope[bulk]
playwright install chromium
driverscope bulk --list # 55 vendor targets, see above
driverscope bulk --region CN,KR,RU --scan # crawl China + Korea + Russia, scan results
driverscope bulk --region JP --category laptop # Japanese laptop vendors only
driverscope bulk --vendors DriverPack-RU,4PDA-Files # RU aggregator focus
driverscope bulk --category gpu --output ./gpu_corpus
driverscope bulk --max-pages 10 # deep crawl, all vendors
Output goes to <output>/<vendor>/<file>. Each vendor runs in parallel under a concurrency cap. Downloads cap at 200MB per file and skip files that already exist on disk (idempotent re-runs).
Why regional matters for BYOVD hunting: CN, KR, JP, and RU vendors ship signed drivers that rarely appear in English-language security research. Many never reach LOLDrivers because nobody English-speaking has looked. The same goes for OEM laptop manufacturers' bundled telemetry/overclock/fan-control drivers — signed, broad install base, often built by third-party contractors with no security review.
Bulk Claude triage
After scan/ioctl extraction, pipe the JSON output through triage to get per-IOCTL verdicts from Claude:
pip install driverscope[triage]
export ANTHROPIC_API_KEY=sk-ant-...
driverscope scan ./corpus --ioctl --json --export findings.json
driverscope triage findings.json --output triage.md
Each finding produces:
IOCTL 0x80102040 CONFIRMED-PRIMITIVE MmMapIoSpace exposed with no caller check
IOCTL 0x80102044 LIKELY-PRIMITIVE PhysMem write reachable; bounds check is weak
IOCTL 0x80102048 GATED Guarded by process-name allowlist
OVERALL: CONFIRMED-PRIMITIVE Driver exposes arbitrary physical R/W via two IOCTLs
Triage runs concurrently (default 4 in flight). Use --concurrency 8 if you have API capacity. Default model: claude-opus-4-6.
Speakeasy emulation
The emulate subcommand uses Mandiant Speakeasy to emulate DriverEntry without loading the driver. It traces kernel API calls, extracts device names, PDB paths, debug strings, and classifies primitives from runtime behavior that static import scanning alone can't reach.
pip install driverscope[emulate]
driverscope emulate driver.sys # single driver
driverscope emulate C:\drivers --json # batch directory
driverscope emulate a.sys b.sys c.sys --export results.json
Real output from 4 drivers (0.6s total wall-clock):
# Driver Device EPs Crash PDB Primitives
-- ---------------------------- --------------------- --- ----- -------------------- ----------
1 GlobalVistaVentures_v3.sys GlobalVistaVentures 6 Kinkajou CR-Regs, CrossProc-VA, PageTable-Walk, VAD-Inject +4
2 signeddrv.sys 5 Windows-Memory-Info CrossProc-VA, KernelMem-Copy, PhysMem-Map
3 RTCore64.sys RTCore64 5 PhysMem-Map, PhysMem-Section
4 PawnIO.sys