explaingit

diabloidyobane/driverscope

Analysis updated 2026-05-18

68PythonAudience · developerComplexity · 3/5LicenseSetup · moderate

TLDR

A Python pipeline that hunts vulnerable Windows kernel drivers by scanning imports, extracting IOCTL surfaces, cross-referencing public blocklists, and flagging novel zero-day candidates for authorized security research.

Mindmap

mindmap
  root((DriverScope))
    Core Features
      Import scanning
      IOCTL extraction
      LOLDrivers cross-ref
      Novel driver flagging
    Kernel Primitives
      Physical memory map
      Cross-process access
      MSR registers
      Token privileges
    Analysis Tools
      Capstone disassembly
      Speakeasy emulation
      Fuzzy hash clustering
    Corpus Building
      55 vendor portals
      10 global regions
      Playwright scraping
    Triage
      Claude API triage
      boofuzz harness gen
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Scan a Windows system's drivers folder for dangerous kernel imports and cross-reference results against the LOLDrivers and Microsoft blocklists

USE CASE 2

Extract IOCTL control codes from a driver binary to map its kernel attack surface during an authorized security assessment

USE CASE 3

Build a corpus of vendor-signed drivers by scraping 55 hardware vendor portals and running automated BYOVD analysis

USE CASE 4

Generate a boofuzz IOCTL fuzzing harness for a suspicious driver and trace its initialization with Speakeasy emulation

What is it built with?

PythonCapstoneSpeakeasyIDA / GhidraPlaywrightClaude API

How does it compare?

diabloidyobane/driverscopehiangx-robotics/metafinenanovisionx/raev2
Stars687070
LanguagePythonPythonPython
Setup difficultymoderatehardhard
Complexity3/55/55/5
Audiencedeveloperresearcherresearcher

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 5min

Requires Windows for full driver analysis, optional extras add Capstone disassembly, Speakeasy emulation, and Playwright for bulk vendor scraping.

MIT: use freely for any purpose, including commercial use, as long as you keep the copyright notice.

In plain English

DriverScope is a Python-based tool for analyzing and hunting vulnerable Windows kernel drivers, specifically those that could be exploited in Bring Your Own Vulnerable Driver (BYOVD) attacks, where an attacker loads a legitimately signed but vulnerable driver to gain privileged kernel access. The tool automates scanning driver files for dangerous kernel function imports, extracting the IOCTL control codes a driver exposes, cross-checking results against the LOLDrivers database and the Microsoft vulnerable driver blocklist, and flagging drivers not yet in any known public list. The scanning engine classifies dangerous imports into 18 kernel primitive categories, such as physical memory mapping, cross-process memory access, MSR register reads and writes, token privilege manipulation, and security callback bypass. Every flagged import maps to one of these categories so analysts can see what kernel capabilities an attacker could access through that driver. A live test against a standard Windows 11 system's drivers folder flagged 423 out of 463 drivers as having at least one dangerous primitive. Beyond import scanning, DriverScope can extract the IOCTL dispatch table from a driver binary, which reveals which control codes the driver accepts from user space and which kernel functions those codes can reach. A separate emulation subcommand uses the Speakeasy library to trace a driver's initialization without loading it on the system, recovering device names, debug strings, and other runtime details. Additional subcommands support the full research workflow: downloading signed drivers from 55 vendor portals across 10 regions to build a test corpus, clustering similar drivers by fuzzy hash, generating boofuzz-based IOCTL fuzzing harnesses, and running AI-assisted triage via the Claude API. The tool is intended for authorized security research and is released under the MIT license.

Copy-paste prompts

Prompt 1
Using DriverScope, scan C:\Windows\System32\drivers with LOLDrivers cross-referencing and IOCTL extraction enabled. Export results to findings.json.
Prompt 2
Run DriverScope's ioctl subcommand on a specific .sys file. What do the extracted IOCTL codes and their kernel functions tell me about the driver's attack surface?
Prompt 3
Use DriverScope's emulate subcommand on a suspicious driver to trace its DriverEntry. What information does Speakeasy recover that static analysis misses?
Prompt 4
Walk me through using DriverScope's bulk subcommand to scrape CN and JP vendor portals and automatically scan the downloaded drivers.
Prompt 5
DriverScope flagged a driver with PhysMem-Map and Token-Priv primitives. Explain what a BYOVD attacker could do with those two kernel capabilities.

Frequently asked questions

What is driverscope?

A Python pipeline that hunts vulnerable Windows kernel drivers by scanning imports, extracting IOCTL surfaces, cross-referencing public blocklists, and flagging novel zero-day candidates for authorized security research.

What language is driverscope written in?

Mainly Python. The stack also includes Python, Capstone, Speakeasy.

What license does driverscope use?

MIT: use freely for any purpose, including commercial use, as long as you keep the copyright notice.

How hard is driverscope to set up?

Setup difficulty is rated moderate, with roughly 5min to a first successful run.

Who is driverscope for?

Mainly developer.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Scan in gitsafehub Deploy in gitdeployhub diabloidyobane on gitmyhub

Verify against the repo before relying on details.