DriverShield — Kernel Driver Vulnerability & Malware Analysis
DriverShield is a security platform that analyzes Windows kernel driver files (.sys) for vulnerabilities, malware patterns, and BYOVD (Bring Your Own Vulnerable Driver) attack indicators.
Features
- Static and dynamic PE analysis
- YARA signature matching with 12+ rules
- VirusTotal integration (72+ AV engines)
- IOCTL dispatch code extraction and risk classification
- Control Flow Integrity (CFI) analysis
- Symbolic execution for vulnerability discovery
- Sigma SIEM rule generation
- MITRE ATT&CK technique mapping
- Code signing and certificate verification
- LOLDrivers known-vulnerable driver database
- AI behavioral classification
API Documentation
Endpoint 1 — SHA256 Hash Lookup
Query the DriverShield database for previously analyzed Windows kernel drivers using their SHA256 file hash.
Request: GET /?r=apilookup&sha256={64-char-hex-hash}
No authentication required. Returns risk score, verdict, VirusTotal detection counts, YARA match count, and MITRE ATT&CK technique mappings.
Response Fields
found — boolean, whether the hash exists in the databasesha256 — the queried hashfilename — original driver filenamerisk_score — composite risk score (0-100)verdict — clean, suspicious, vulnerable, or maliciousvt_detections / vt_total — VirusTotal detection ratioyara_matches — number of YARA rule matchesscanned_at — analysis timestampmitre — array of MITRE ATT&CK technique IDs
Example (cURL)
curl -s "https://drivershield.io/?r=apilookup&sha256=AD40E8A0C3F39D47A6A2E74DCDB81C6A51B45F2DE8FBB7B7D73C38B7E3B8A271"
Example (Python)
import requests
r = requests.get("https://drivershield.io", params={"r": "apilookup", "sha256": "AD40E8..."})
data = r.json()
print(f"Score: {data['risk_score']}/100 - {data['verdict']}")
Endpoint 2 — Upload & Scan Driver
Upload a .sys driver file for full automated analysis. Requires API token authentication.
Request: POST /?r=api/upload
Headers: X-Driver-MD5: {your_api_token}
Body: multipart/form-data with field file containing the .sys binary.
Accepted: .sys files only, max 50 MB, must have valid PE headers.
Example (cURL)
curl -X POST "https://drivershield.io/?r=api/upload" -H "X-Driver-MD5: YOUR_TOKEN" -F "file=@driver.sys"
Example (Python)
import requests
r = requests.post("https://drivershield.io/?r=api/upload",
headers={"X-Driver-MD5": "YOUR_TOKEN"},
files={"file": open("driver.sys", "rb")})
print(r.json()["result"]["verdict"])
Error Codes
401 — Missing or invalid API token403 — Account suspended422 — Invalid file (wrong extension, too large, invalid PE)429 — Rate limit exceeded (30 uploads/hour)
Rate Limits
- Hash Lookup: Unlimited
- File Upload: 30 requests per hour per IP
- Authentication: 10 attempts per 15 minutes per IP
Authentication
Sign in to obtain your personal API token from the API page. Include it as the X-Driver-MD5 HTTP header in upload requests.