Python Scripts to Verify your Windows Drivers are all signed.

TOPICS:

Posted By: admin March 29, 2023

Current malware is exploiting endpoints by using DLL driver link libraries to load malware from the hardware layer into the Operating System. Use the following python script to verify if your PC is running unsigned drivers, which is a clear indicator of compromise.

The following Python script you may save as “checkdrivers.py”. Open a command prompt as administrator. Then launch the saved Python script. Dependencies include installing python, “pip install requests’, and Sysinternals (see below).

import subprocess

# Get a list of installed drivers

driver_list = subprocess.check_output(‘driverquery’, shell=True)

# Parse the output to extract driver information

driver_info = driver_list.decode(‘utf-8’).split(‘\n’)[1:]
driver_info = [d.split() for d in driver_info if len(d) > 0]

# Check each driver for digital signature

for driver in driver_info:
name = driver[0]
path = driver[-1]
try:
output = subprocess.check_output([‘sigcheck’, ‘-i’, path], stderr=subprocess.STDOUT)
signature = output.decode(‘utf-8’).split(‘\n’)[1]
if “Signed” not in signature:
print(f”{name} is not digitally signed.”)
else:
print(f”{name} is digitally signed and trusted.”)
except subprocess.CalledProcessError as e:
print(f”Error checking signature for {name}: {e.output}”)

How to install sysinternals from Microsoft. Save the following as a python script and run from CMD as administrator.

———————

import requests
import zipfile
import io
import subprocess
import os

# Set the download URL and filename

url = ‘https://download.sysinternals.com/files/SysinternalsSuite.zip’
filename = ‘SysinternalsSuite.zip’

# Download the Sysinternals Suite ZIP file

response = requests.get(url, verify=True)
if response.status_code != requests.codes.ok:
print(f”Error downloading Sysinternals Suite: {response.status_code}”)
exit()

# Extract the ZIP file contents to a temporary folder

with zipfile.ZipFile(io.BytesIO(response.content)) as zip_file:
zip_file.extractall(‘temp’)

# Add the temporary folder to the PATH environment variable

os.environ[‘PATH’] += os.pathsep + os.path.abspath(‘temp\SysinternalsSuite’)

# Run a Sysinternals tool to verify the installation

output = subprocess.check_output([‘sigcheck’, ‘-h’], stderr=subprocess.STDOUT)
if “sigcheck” not in output.decode(‘utf-8’):
print(“Error installing Sysinternals Suite.”)
exit()

print(“Sysinternals Suite has been installed successfully.”)

Facebook Comments

Be the first to comment on "Python Scripts to Verify your Windows Drivers are all signed."

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.