BYOVD (Bring Your Own Vulnerable Driver) analysis pipeline.
Helios automates the full workflow of identifying, analysing, and scoring Windows kernel drivers for BYOVD exploitation potential. It combines IDA Pro static analysis, Hex-Rays decompilation, and a local LLM (via Ollama) to produce structured risk reports — all from a terminal UI or a single CLI command.
For research, red-teaming, and defensive security purposes only.
- Module 1 — Driver collection from System32, a custom directory, specific files, or online sources (GitHub / Windows Update Catalog). Checks signatures, LOLDrivers, and the Microsoft Recommended Driver Blocklist automatically.
- Module 2 — Headless IDA Pro analysis: labels
DriverEntry, IRP dispatch handlers, and ~55 security-relevant kernel APIs. Produces a structured JSON analysis. - Module 2.5 — Hex-Rays decompilation to annotated C with priority-ordered output (DriverEntry and security-flagged functions first), IOCTL decoding, and noise filtering.
- Module 3 — LLM scoring via Ollama. Detects exploitation primitives (arbitrary R/W, CR0/CR4 writes, unvalidated IOCTL pointers, process injection, etc.) and produces a 0–100 risk score combining static metadata and code analysis.
- Module 4 — Interactive PoC generator. Ranks candidate drivers by attack category (privilege escalation, arbitrary read/write) and uses the LLM to produce C++ proof-of-concept code.
- Terminal UI — Full Textual TUI with live log streaming, report browser, online acquisition, and a hardware scanner that recommends optimal concurrency settings for your machine.
- Parallel execution — IDA and LLM stages run concurrently via
ThreadPoolExecutor. Skip-existing caching avoids re-processing drivers that already have output files.
| Requirement | Notes |
|---|---|
| Python 3.11+ | |
| IDA Pro or IDA Free | Needs idat.exe / idat64.exe and the Hex-Rays decompiler plugin |
| Ollama | Local LLM inference server |
qwen2.5-coder:7b |
Default model — ~4 GB VRAM; configurable |
| Windows 10/11 | IDA and driver signing checks are Windows-specific |
pip install -r requirements.txt
Download from ollama.com, then pull the model:
ollama pull qwen2.5-coder:7b
python helios_setup.py
The wizard finds your IDA installation, tests Ollama connectivity, asks about concurrency settings, and writes a helios.env file with your local config. You only need to do this once.
python helios_ui.py
Or run the pipeline directly from the CLI:
python pipeline.py --source system # analyse all System32 drivers
python pipeline.py --source dir --path C:\drivers
python pipeline.py --source files --path cpuz.sys
python pipeline.py --module 4 # PoC generator (uses existing reports)
Helios reads settings from three places, in priority order:
helios.envin the project root (created by the setup wizard)HELIOS_*environment variables (e.g.HELIOS_IDA_DIR)- Built-in defaults
helios.env is gitignored — your personal paths never appear in the repository. Copy helios.env.example as a starting point:
cp helios.env.example helios.env
Key settings:
| Key | Default | Description |
|---|---|---|
ida_dir |
auto-detected | Path to your IDA Pro directory |
ollama_model |
qwen2.5-coder:7b |
Ollama model to use |
ollama_base_url |
http://localhost:11434 |
Ollama server URL |
ida_concurrency |
1 |
Parallel IDA instances (each uses ~2–4 GB RAM) |
ollama_concurrency |
1 |
Parallel Ollama requests |
github_token |
(none) | GitHub PAT for 5,000 req/hr rate limit |
IDA is auto-detected from common install paths (Program Files\IDA*, Downloads\IDA*, etc.). Only set ida_dir if auto-detection fails.
[Driver files]
│
▼
Module 1 ── Signature check ── LOLDrivers ── MS Blocklist
│
▼
Module 2 ── IDA Pro headless ── API tagging ── Symbol renaming
│
▼
Module 2.5 ── Hex-Rays decompilation ── Priority ordering ── IOCTL decoding
│
▼
Module 3 ── LLM code analysis ── Static scoring ── Risk report (JSON)
│
▼
Module 4 ── Candidate ranking ── LLM PoC generation (C++)
Reports are written to output/reports/<driver>_report.json.
Scores start at 100 and deductions are applied from two sources:
Static (Python, deterministic):
| Factor | Deduction |
|---|---|
| Unsigned driver | −40 |
| Revoked certificate | −45 |
| On LOLDrivers list | −50 |
| On MS Driver Blocklist | −50 |
| Known CVE | −30 each (capped at −50) |
| Driver older than 36 months | −15 |
| Non-business driver (game/RGB/OC tool) | −20 |
Code analysis (LLM):
| Primitive | Deduction |
|---|---|
| Arbitrary physical/virtual memory R/W | −50 |
| CR0/CR4/MSR write | −50 |
| Unvalidated IOCTL input pointer | −30 |
| Process injection | −40 |
| Security callback (AV blinding) | −35 |
Privilege escalation via ZwSetSystemInformation |
−30 |
Driver loading via ZwLoadDriver |
−25 |
| Device stack hijack | −20 |
Classification:
| Score | Label | Action |
|---|---|---|
| 85–100 | TRUSTED | ALLOW |
| 65–84 | LOW RISK | ALLOW |
| 40–64 | MODERATE RISK | CONDITIONALLY_ALLOW |
| 20–39 | HIGH RISK | BLOCK |
| 0–19 | CRITICAL | BLOCK |
python pipeline.py [options]
--source system | dir | files | online Driver source (default: system)
--path PATH [PATH ...] Directory or .sys files
--query QUERY [QUERY ...] Search terms for --source online
--module 1 | 2 | 2.5 | 3 | 4 Run up to this module (default: 3)
--limit N Process at most N drivers
--force-reanalyze Re-run even if output files exist
--refresh-cache Force re-download of blocklists
--log-level DEBUG | INFO | WARNING | ERROR
output/
├── metadata/ Module 1 — driver metadata + blocklist results (JSON)
├── idb/ IDA databases
├── analysis/ Module 2 — IDA analysis results (JSON)
├── decompiled/ Module 2.5 — decompiled C files
├── reports/ Module 3 — final risk reports (JSON)
└── cache/ LOLDrivers + MS blocklist downloads
| VRAM | Recommended model | Notes |
|---|---|---|
| 8 GB | qwen2.5-coder:7b |
Default; fast, good kernel code understanding |
| 12 GB+ | qwen2.5-coder:14b |
Better reasoning on obfuscated code |
| 24 GB+ | qwen2.5-coder:32b |
Best accuracy |
Change the model in helios.env:
ollama_model=qwen2.5-coder:14b
Helios is intended for authorised security research, penetration testing, and defensive tooling. Generating or deploying exploit code against systems you do not own or have explicit permission to test is illegal. The PoC generator (Module 4) produces research-grade output for controlled lab environments only.