Analysis updated 2026-05-18
Scan a Windows system's drivers folder for dangerous kernel imports and cross-reference results against the LOLDrivers and Microsoft blocklists
Extract IOCTL control codes from a driver binary to map its kernel attack surface during an authorized security assessment
Build a corpus of vendor-signed drivers by scraping 55 hardware vendor portals and running automated BYOVD analysis
Generate a boofuzz IOCTL fuzzing harness for a suspicious driver and trace its initialization with Speakeasy emulation
| diabloidyobane/driverscope | hiangx-robotics/metafine | nanovisionx/raev2 | |
|---|---|---|---|
| Stars | 68 | 70 | 70 |
| Language | Python | Python | Python |
| Setup difficulty | moderate | hard | hard |
| Complexity | 3/5 | 5/5 | 5/5 |
| Audience | developer | researcher | researcher |
Figures from each repo's GitHub metadata at analysis time.
Requires Windows for full driver analysis, optional extras add Capstone disassembly, Speakeasy emulation, and Playwright for bulk vendor scraping.
DriverScope is a Python-based tool for analyzing and hunting vulnerable Windows kernel drivers, specifically those that could be exploited in Bring Your Own Vulnerable Driver (BYOVD) attacks, where an attacker loads a legitimately signed but vulnerable driver to gain privileged kernel access. The tool automates scanning driver files for dangerous kernel function imports, extracting the IOCTL control codes a driver exposes, cross-checking results against the LOLDrivers database and the Microsoft vulnerable driver blocklist, and flagging drivers not yet in any known public list. The scanning engine classifies dangerous imports into 18 kernel primitive categories, such as physical memory mapping, cross-process memory access, MSR register reads and writes, token privilege manipulation, and security callback bypass. Every flagged import maps to one of these categories so analysts can see what kernel capabilities an attacker could access through that driver. A live test against a standard Windows 11 system's drivers folder flagged 423 out of 463 drivers as having at least one dangerous primitive. Beyond import scanning, DriverScope can extract the IOCTL dispatch table from a driver binary, which reveals which control codes the driver accepts from user space and which kernel functions those codes can reach. A separate emulation subcommand uses the Speakeasy library to trace a driver's initialization without loading it on the system, recovering device names, debug strings, and other runtime details. Additional subcommands support the full research workflow: downloading signed drivers from 55 vendor portals across 10 regions to build a test corpus, clustering similar drivers by fuzzy hash, generating boofuzz-based IOCTL fuzzing harnesses, and running AI-assisted triage via the Claude API. The tool is intended for authorized security research and is released under the MIT license.
A Python pipeline that hunts vulnerable Windows kernel drivers by scanning imports, extracting IOCTL surfaces, cross-referencing public blocklists, and flagging novel zero-day candidates for authorized security research.
Mainly Python. The stack also includes Python, Capstone, Speakeasy.
MIT: use freely for any purpose, including commercial use, as long as you keep the copyright notice.
Setup difficulty is rated moderate, with roughly 5min to a first successful run.
Mainly developer.
This repo across BitVibe Labs
Verify against the repo before relying on details.