A scalable pipeline for analyzing Windows drivers for potential vulnerabilities, built on top of Karton and MWDB Core.
Automated patch diffing, semantic analysis, and vulnerability scoring is powered by AutoPiff — see that repository for details on the analysis engine, rule sets, and Ghidra scripts.
This project automatically processes and analyzes Windows drivers through a multi-stage pipeline. It monitors for new driver versions, extracts metadata, checks digital signatures, performs patch diffing with semantic analysis, traces reachability from attack surfaces, scores findings, and generates reports with alerting.
| Stage | Service | Description |
|---|---|---|
| 0 | Driver Monitor | Polls WinBIndex and VirusTotal for new driver versions, uploads to MWDB |
| 1-4 | Patch Differ | Binary diffing via Ghidra, semantic rule matching (58 rules across 22 categories) |
| 5 | Reachability | Ghidra call-graph analysis tracing paths from IOCTL/IRP entry points to changed functions, plus full decompilation export |
| 6 | Ranking | Scores and ranks findings based on reachability, semantic severity, and attack surface |
| 7 | Report | Generates markdown reports attached to MWDB samples |
| 8 | Alerter | Sends Telegram alerts for high-scoring findings (score >= 8.0) |
- Signature Service: Verifies digital signatures using Sysinternals Sigcheck (via Wine).
- Classifier: Identifies file type and architecture.
- IOCTLance: Symbolic execution (via angr) to find vulnerabilities in IOCTL handlers.
- Reporter: Aggregates Karton results and uploads to MWDB.
- Telegram Bot: Interactive bot for dynamic watchlist management (
/watchdriver). - Dashboard: Web UI for pipeline status and analysis results.
- Docker and Docker Compose
- (Optional) Python 3 for running helper scripts
- (Optional)
VT_API_KEYfor VirusTotal driver monitoring - (Optional)
TELEGRAM_BOT_TOKENandTELEGRAM_CHAT_IDfor alerts
-
Clone the repositories:
git clone https://github.com/yourusername/driver_analyzer.git git clone https://github.com/splintersfury/AutoPiff.git cd driver_analyzerAutoPiff must be cloned alongside this repo (as
../AutoPiff) — several services build from it. -
Environment Setup (Required):
cp .env.example .env
Edit
.envand set:MWDB_API_KEY— generate after first MWDB login (see step 5)TELEGRAM_BOT_TOKEN— for alerts and the Telegram bot (optional)TELEGRAM_CHAT_ID— target chat for alerts (optional)VT_API_KEY— for VirusTotal driver monitoring (optional)
-
Start the services:
docker compose up -d --build
-
Access the dashboards:
- MWDB Core: http://localhost:8080 (Login:
admin/admin— default) - Karton Dashboard: http://localhost:8081
- Driver Dashboard: http://localhost:8088
- MWDB Core: http://localhost:8080 (Login:
-
Final Configuration:
- Log in to MWDB.
- Generate an API Key (Settings -> API Key).
- Update
MWDB_API_KEYin your.envfile. - Restart the stack:
docker compose up -d.
┌──────────────────┐
│ Driver Monitor │ (Stage 0)
│ WinBIndex + VT │
└────────┬─────────┘
│ uploads new .sys to MWDB
▼
┌──────────────────┐
│ MWDB Core │
└────────┬─────────┘
│ triggers Karton pipeline
▼
┌──────────────────────────────┐
│ Classifier + Signature │
└──────────────┬───────────────┘
▼
┌──────────────────────────────┐
│ Patch Differ (Stages 1-4) │ ← AutoPiff
│ diff + semantic rules │
└──────────────┬───────────────┘
▼
┌──────────────────────────────┐
│ Reachability (Stage 5) │ ← AutoPiff
│ call-graph + decompilation │
└──────────────┬───────────────┘
▼
┌──────────────────────────────┐
│ Ranking (Stage 6) │ ← AutoPiff
└──────────────┬───────────────┘
▼
┌──────────────────────────────┐
│ Report (Stage 7) │ ← AutoPiff
└──────────────┬───────────────┘
▼
┌──────────────────────────────┐
│ Alerter (Stage 8) │ ← AutoPiff
│ Telegram high-score alerts │
└──────────────────────────────┘
Services marked ← AutoPiff build from the AutoPiff repository (../AutoPiff).
Continuously polls for new driver versions from two sources:
- WinBIndex: Monitors 14 system drivers (cldflt.sys, ntfs.sys, afd.sys, win32k.sys, etc.)
- VirusTotal Intelligence: Searches for new uploads from security vendors (CrowdStrike, SentinelOne, Sophos, ESET)
- Supports dynamic watchlist additions via Telegram
/watchdrivercommand
Automatically compares an uploaded driver against older versions found in the database.
- Strict Arch Matching: Ensures x64 is only diffed against x64.
- Semantic Analysis: 58 vulnerability detection rules across 22 categories.
- Match Rate Tagging:
diff_match:high(>85%),diff_match:medium(70-85%),diff_match:low(<70%). - Reports: Generates markdown reports highlighting changed functions and security fix patterns.
Traces call paths from driver entry points to changed functions using Ghidra headless analysis.
- Classifies reachability as
ioctl,irp,pnp,internal, orunknown. - Exports full decompiled C source to MWDB for caching and review.
Scores findings based on reachability from attack surfaces, semantic severity, and exploitability indicators.
Produces structured markdown reports attached to MWDB samples.
Sends Telegram notifications for high-confidence findings (score >= 8.0 with IOCTL/IRP/filesystem surface area).
Files uploaded to MWDB are stored in a Docker Named Volume (mwdb-uploads-data), ensuring data persistence across container restarts.
python3 reanalyze_mwdb.py --days 1 # Reanalyze samples from the last 24h- AutoPiff — The analysis engine powering Stages 1-8. Contains Ghidra scripts, semantic rules, Karton services, and the scoring framework.
This project is licensed under the MIT License - see the LICENSE file for details.