MCPcopy Index your code
hub / github.com/BlackSnufkin/HolyGrail

github.com/BlackSnufkin/HolyGrail @main

Chat with this repo
repository ↗ · DeepWiki ↗ · + Follow
45 symbols 67 edges 4 files 0 documented · 0%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

HolyGrail

A BYOVD hunter for finding the HolyGrail driver - Windows drivers suitable for BYOVD.

Install

git clone https://github.com/BlackSnufkin/HolyGrail
cd HolyGrail
cargo build --release

Quick start

HolyGrail.exe -d "C:\path\to\driver.sys"

Add JSON output, custom output dir, and policy dir if you need:

HolyGrail.exe -d "C:\path\to\driver.sys" -o ".\out" -p ".\Policies" --json

CLI

Usage: HolyGrail.exe [OPTIONS]

Options:
  -d, --driver <DRIVER_FILE>          Path to the driver file (.sys) to analyze
  -D, --directory <DRIVER_DIRECTORY>  Directory containing driver files to analyze
  -o, --output <OUTPUT_DIRECTORY>     Output directory for analysis results [default: .\Analysis]
  -p, --policies <POLICY_DIRECTORY>   Path to directory containing policy files [default: Policies]
  -j, --json                          Output results in JSON format instead of text
  -v, --verbose                       Enable verbose logging
  -h, --help                          Print help
  -V, --version                       Print version

What it checks

  • Kernel imports commonly used in BYOVD chains (memory/MDL, section/VM mapping, cross-proc R/W, process control, device I/O).
  • Block policies: compares the driver against Microsoft’s Windows 10/11 Driver Block Policy (File Version, AuthCode Hash, Certificate).
  • LoLDrivers: flags if the driver appears there.
  • Basic comms hints: device interfaces that suggest an easy user-mode bridge.

Policy files

Place these in the Policies directory (or point -p to where they live):

Policies/
├── lol_drivers.json
├── Win10_MicrosoftDriverBlockPolicy.json
└── Win11_MicrosoftDriverBlockPolicy.json

What counts as a “HolyGrail” driver

  • Has the right imports for your technique (e.g., cross-process R/W, section mapping, termination).
  • Not on LoLDrivers (less attention from defenders).
  • Not blocked on Windows 10 and Windows 11 (loads without policy issues).
  • Has a comms path (IOCTLs/device objects) for easy control.

Use cases

  • Red teams: surface legitimate, loadable drivers with the primitives you need.
  • Researchers: map new candidates and study real-world attack surfaces.
  • Defenders (optional): audit your fleet for BYOVD risk.

Core symbols most depended-on inside this repo

parse_ver
called by 3
src/driver_policy.rs
analyze_single_driver
called by 2
src/find_vuln.rs
sanitize_version_string
called by 2
src/utils.rs
load_policy
called by 2
src/driver_policy.rs
is_driver_file
called by 2
src/main.rs
is_loldriver
called by 1
src/find_vuln.rs
calculate_file_hash
called by 1
src/utils.rs
format_file_size
called by 1
src/utils.rs

Shape

Function 18
Class 14
Method 11
Enum 2

Languages

Rust100%

Modules by API surface

src/driver_policy.rs25 symbols
src/find_vuln.rs9 symbols
src/utils.rs7 symbols
src/main.rs4 symbols

For agents

$ claude mcp add HolyGrail \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact