DriverShield - REST API for Windows Driver Analysis

REST API for automated Windows kernel driver scanning. SHA256 hash lookup, .sys upload, and JSON reports with risk score, YARA matches, IOCTL codes, and verdicts.

API Documentation

Endpoint 1 - SHA256 Hash Lookup

Query the platform for a previously analyzed Windows kernel driver by SHA256 hash.

Request: GET /?r=apilookup&sha256={64-char-hex-hash}

No authentication required. Returns risk score, verdict, detection counts, YARA match count, and MITRE ATT&CK techniques.

Response Fields

found - boolean, whether the hash exists
sha256 - the queried hash
filename - original driver filename
risk_score - composite risk score (0-100)
verdict - clean, suspicious, vulnerable, or malicious
vt_detections / vt_total - external detection ratio
yara_matches - YARA rule hit count
scanned_at - analysis timestamp
mitre - array of MITRE ATT&CK technique IDs

Endpoint 2 - Upload & Scan Driver

Upload a .sys driver file for full automated analysis. Requires API token authentication.

Request: POST /?r=api/upload

Headers: X-Driver-MD5: {your_api_token}

Accepted: .sys files only, max 50 MB, valid PE headers required.

Rate Limits

Hash Lookup: Unlimited
File Upload: 30 requests per hour per IP
Authentication: 10 attempts per 15 minutes per IP

Authentication

Sign in to obtain your personal API token from the API page. Include it as the X-Driver-MD5 HTTP header in upload requests.