Skip to content

Vu2n/Helios

Repository files navigation

Helios

BYOVD (Bring Your Own Vulnerable Driver) analysis pipeline.

Helios automates the full workflow of identifying, analysing, and scoring Windows kernel drivers for BYOVD exploitation potential. It combines IDA Pro static analysis, Hex-Rays decompilation, and a local LLM (via Ollama) to produce structured risk reports — all from a terminal UI or a single CLI command.

For research, red-teaming, and defensive security purposes only.


Features

  • Module 1 — Driver collection from System32, a custom directory, specific files, or online sources (GitHub / Windows Update Catalog). Checks signatures, LOLDrivers, and the Microsoft Recommended Driver Blocklist automatically.
  • Module 2 — Headless IDA Pro analysis: labels DriverEntry, IRP dispatch handlers, and ~55 security-relevant kernel APIs. Produces a structured JSON analysis.
  • Module 2.5 — Hex-Rays decompilation to annotated C with priority-ordered output (DriverEntry and security-flagged functions first), IOCTL decoding, and noise filtering.
  • Module 3 — LLM scoring via Ollama. Detects exploitation primitives (arbitrary R/W, CR0/CR4 writes, unvalidated IOCTL pointers, process injection, etc.) and produces a 0–100 risk score combining static metadata and code analysis.
  • Module 4 — Interactive PoC generator. Ranks candidate drivers by attack category (privilege escalation, arbitrary read/write) and uses the LLM to produce C++ proof-of-concept code.
  • Terminal UI — Full Textual TUI with live log streaming, report browser, online acquisition, and a hardware scanner that recommends optimal concurrency settings for your machine.
  • Parallel execution — IDA and LLM stages run concurrently via ThreadPoolExecutor. Skip-existing caching avoids re-processing drivers that already have output files.

Requirements

Requirement Notes
Python 3.11+
IDA Pro or IDA Free Needs idat.exe / idat64.exe and the Hex-Rays decompiler plugin
Ollama Local LLM inference server
qwen2.5-coder:7b Default model — ~4 GB VRAM; configurable
Windows 10/11 IDA and driver signing checks are Windows-specific

Quick Start

1. Install Python dependencies

pip install -r requirements.txt

2. Install and start Ollama

Download from ollama.com, then pull the model:

ollama pull qwen2.5-coder:7b

3. Run the setup wizard

python helios_setup.py

The wizard finds your IDA installation, tests Ollama connectivity, asks about concurrency settings, and writes a helios.env file with your local config. You only need to do this once.

4. Launch the TUI

python helios_ui.py

Or run the pipeline directly from the CLI:

python pipeline.py --source system          # analyse all System32 drivers
python pipeline.py --source dir --path C:\drivers
python pipeline.py --source files --path cpuz.sys
python pipeline.py --module 4              # PoC generator (uses existing reports)

Configuration

Helios reads settings from three places, in priority order:

  1. helios.env in the project root (created by the setup wizard)
  2. HELIOS_* environment variables (e.g. HELIOS_IDA_DIR)
  3. Built-in defaults

helios.env is gitignored — your personal paths never appear in the repository. Copy helios.env.example as a starting point:

cp helios.env.example helios.env

Key settings:

Key Default Description
ida_dir auto-detected Path to your IDA Pro directory
ollama_model qwen2.5-coder:7b Ollama model to use
ollama_base_url http://localhost:11434 Ollama server URL
ida_concurrency 1 Parallel IDA instances (each uses ~2–4 GB RAM)
ollama_concurrency 1 Parallel Ollama requests
github_token (none) GitHub PAT for 5,000 req/hr rate limit

IDA is auto-detected from common install paths (Program Files\IDA*, Downloads\IDA*, etc.). Only set ida_dir if auto-detection fails.


Pipeline Stages

[Driver files]
      │
      ▼
Module 1 ── Signature check ── LOLDrivers ── MS Blocklist
      │
      ▼
Module 2 ── IDA Pro headless ── API tagging ── Symbol renaming
      │
      ▼
Module 2.5 ── Hex-Rays decompilation ── Priority ordering ── IOCTL decoding
      │
      ▼
Module 3 ── LLM code analysis ── Static scoring ── Risk report (JSON)
      │
      ▼
Module 4 ── Candidate ranking ── LLM PoC generation (C++)

Reports are written to output/reports/<driver>_report.json.


Risk Scoring

Scores start at 100 and deductions are applied from two sources:

Static (Python, deterministic):

Factor Deduction
Unsigned driver −40
Revoked certificate −45
On LOLDrivers list −50
On MS Driver Blocklist −50
Known CVE −30 each (capped at −50)
Driver older than 36 months −15
Non-business driver (game/RGB/OC tool) −20

Code analysis (LLM):

Primitive Deduction
Arbitrary physical/virtual memory R/W −50
CR0/CR4/MSR write −50
Unvalidated IOCTL input pointer −30
Process injection −40
Security callback (AV blinding) −35
Privilege escalation via ZwSetSystemInformation −30
Driver loading via ZwLoadDriver −25
Device stack hijack −20

Classification:

Score Label Action
85–100 TRUSTED ALLOW
65–84 LOW RISK ALLOW
40–64 MODERATE RISK CONDITIONALLY_ALLOW
20–39 HIGH RISK BLOCK
0–19 CRITICAL BLOCK

CLI Reference

python pipeline.py [options]

--source   system | dir | files | online    Driver source (default: system)
--path     PATH [PATH ...]                   Directory or .sys files
--query    QUERY [QUERY ...]                 Search terms for --source online
--module   1 | 2 | 2.5 | 3 | 4             Run up to this module (default: 3)
--limit    N                                 Process at most N drivers
--force-reanalyze                            Re-run even if output files exist
--refresh-cache                              Force re-download of blocklists
--log-level DEBUG | INFO | WARNING | ERROR

Output Structure

output/
├── metadata/       Module 1 — driver metadata + blocklist results (JSON)
├── idb/            IDA databases
├── analysis/       Module 2 — IDA analysis results (JSON)
├── decompiled/     Module 2.5 — decompiled C files
├── reports/        Module 3 — final risk reports (JSON)
└── cache/          LOLDrivers + MS blocklist downloads

Model Recommendations

VRAM Recommended model Notes
8 GB qwen2.5-coder:7b Default; fast, good kernel code understanding
12 GB+ qwen2.5-coder:14b Better reasoning on obfuscated code
24 GB+ qwen2.5-coder:32b Best accuracy

Change the model in helios.env:

ollama_model=qwen2.5-coder:14b

Disclaimer

Helios is intended for authorised security research, penetration testing, and defensive tooling. Generating or deploying exploit code against systems you do not own or have explicit permission to test is illegal. The PoC generator (Module 4) produces research-grade output for controlled lab environments only.

About

A LLM based BYOVD pipeline for single/mass driver ZeroDay/Exploit hunting

Resources

Stars

7 stars

Watchers

1 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages