DriverShield - Analysis Methodology

How DriverShield analyzes Windows kernel drivers: 14-stage static pipeline, scoring formula, YARA matching, IOCTL extraction, and MITRE ATT&CK mapping.

14-Stage Analysis Pipeline

Every submitted .sys file is processed by a multi-stage static analysis pipeline complemented by behavioural and dynamic indicators. Stages contribute to a 0-100 composite risk score and one of four verdict bands.

Hash computation - MD5, SHA1, SHA256 for cross-referencing and dedup.
PE structure validation - DOS header, COFF, Optional Header magic.
Section + entropy - per-section entropy to detect packing.
Version resource extraction - FileDescription, CompanyName, OriginalFilename.
Import Address Table scan - dangerous kernel API enumeration.
IOCTL dispatch extraction - dispatch routine IOCTL codes with risk classification.
Authenticode chain parsing - signer, issuer, serial, validity.
CFI / DEP / ASLR checks - modern mitigation flags.
YARA matching - built-in rules plus synced vulnerable-driver signatures.
Known-vulnerable cross-reference - hash lookup against curated corpus.
Multi-engine consensus - aggregate detection feedback when available.
Symbolic execution - path reachability analysis (angr).
String classification - URLs, registry paths, mutex names, indicators.
ATT&CK + Sigma + score - technique mapping, rule synthesis, composite score.

Verdict Bands

Clean (0-29) - no notable risk signals.
Suspicious (30-59) - some risk signals; manual review recommended.
Vulnerable (60-79) - known or likely vulnerability surface; common BYOVD candidate.
Malicious (80-100) - strong indicators of malicious intent.

See the CVE library for vulnerable-driver CVEs and the driver database for live analyses.