Last active
November 15, 2024 19:11
-
-
Save leechristensen/04811e63a0bb385d20ad1a77c77e54d0 to your computer and use it in GitHub Desktop.
Enumerates loaded Kernel drivers that import callback APIs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Find loaded kernel drivers that register callbacks | |
| # Requirements: NtObjectManager (https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/tree/master/NtObjectManager) | |
| function Get-DriversWithCallbacks { | |
| [CmdletBinding()] | |
| Param() | |
| Get-NtKernelModule | ForEach-Object { | |
| $ModulePath = $_.FullPathName | |
| $FilePath = $null | |
| try { | |
| $FilePath = Get-NtFileFinalPath -FormatWin32Path $ModulePath -ErrorAction Stop | |
| } catch { | |
| Write-Warning "Could not find Win32 path for the driver $ModulePath" | |
| } | |
| if($FilePath) { | |
| $Module = Get-Win32ModuleImport -Path $FilePath | |
| $NtoskrnlFuncs = $Module ` | |
| | Where-Object { $_.DllName -match 'ntoskrnl.exe'} ` | |
| | Select-Object -ExpandProperty Functions | |
| $ImportRegex = 'PsSetCreateProcessNotifyRoutine|PsSetCreateThreadNotifyRoutine|PsSetLoadImageNotifyRoutine|CmRegisterCallback|ObRegisterCallbacks|ExRegisterCallback' | |
| $Callbacks = $NtoskrnlFuncs | Where-Object { $_.Name -match $ImportRegex } | |
| if($Callbacks) { | |
| New-Object psobject -Property @{ | |
| Path = $FilePath | |
| Imports = ($Callbacks | select -ExpandProperty Name) | |
| } | |
| } | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment