Ghidra-powered triage scanner for Windows kernel drivers. Scores drivers on 97 vulnerability heuristics so you know which .sys files to pull apart first.
Cthaeh doesn't find vulnerabilities. It finds the drivers most likely to have them, so you can focus your reverse engineering time where it matters.
============================================================
π³ CTHAEH TRIAGE COMPLETE: 340 drivers analyzed
============================================================
π CRITICAL: 2
π΄ HIGH priority: 14
π‘ MEDIUM priority: 38
π’ LOW priority: 72
βͺ SKIP: 214
Top targets (>= HIGH):
1. [CRITICAL] 360 pts athw8x.sys
2. [CRITICAL] 310 pts vhdmp.sys
3. [HIGH ] 245 pts vmci.sys
4. [HIGH ] 240 pts hvservice.sys
============================================================
Driver: ssudbus2.sys v2.21.0.0 (Samsung Electronics)
============================================================
Vendor: Samsung (CNA: YES) | Bounty: PRESENT
Score: 285 | Priority: CRITICAL
Priority: CRITICAL - IMMEDIATE - full reverse engineering, build PoC exploit
Scored checks:
+ 25 [msr_write] Contains WRMSR instruction(s)
+ 20 [symlink_no_acl] Symbolic link + IoCreateDevice without Secure
+ 20 [port_io_rw] Port I/O: 12 IN + 8 OUT instructions
...
pip install -r requirements.txt
python download_dta.py # Talos type archive (once)
python extract_driverstore.py --output C:\drivers # Pull third-party drivers
python run_triage.py C:\drivers # Scan (only loaded drivers by default)
python run_triage.py C:\drivers --all # Scan everything
python run_triage.py --single C:\path\to\driver.sys # Single driver
python run_triage.py --explain example.sys # Explain a scoreSet GHIDRA_HOME and you never need --ghidra. Pre-filter, parallel workers, JSON, and markdown report are all on by default.
- Running-only filter (Windows default): scans only loaded drivers.
--allto override. - Pre-filter (pefile): drops uninteresting drivers in milliseconds (~37% eliminated)
- Parallel Ghidra headless: N workers (auto = half CPUs)
- 97 heuristic checks: dangerous primitives, IOCTL surface, BYOVD, validation gaps, memory corruption, vendor context, and more
- Enriched output: CSV + JSON + markdown report with vendor/CNA status, prior CVEs, and actionable recommendations
| Tier | Threshold | Action |
|---|---|---|
| π CRITICAL | β₯250 | Drop everything and analyze |
| π΄ HIGH | β₯150 | Investigate soon |
| π‘ MEDIUM | β₯75 | Worth a look |
| π’ LOW | β₯30 | Probably boring |
| βͺ SKIP | <30 | Move on |
Already-analyzed drivers go in investigated.json and are skipped on future scans. Supports version-aware skipping: if a driver is updated (version changes), it gets re-scanned automatically.
{
"investigated": {
"example.sys": {
"reason": "4 vulns submitted to vendor PSIRT",
"version": "2.21.0.0"
}
}
}DriverStore --> extract --> running-only --> pre-filter --> Cthaeh --> ranked list --> manual audit
|
Claude Code + Ghidra MCP --> vuln
- Python 3.8+ with
pefile,pyyaml - Ghidra 10.x+ (headless mode)
- Windows for DriverStore extraction (analysis works on any OS)
See REFERENCE.md for the full technical reference (all 97 heuristics, CLI flags, anti-pattern tags).
- WDAC block policy checking and LOLDrivers cross-reference inspired by HolyGrail by BlackSnufkin.
- Kernel Rhabdomancer candidate point strategy inspired by Rhabdomancer.java by Marco Ivaldi (0xdea). See also: Automating binary vulnerability discovery with Ghidra and Semgrep.
- Anti-pattern tagging (AP1-AP6) based on KernelSight vulnerability root cause analysis across 134 CVEs.
- Framework detection and YAML scoring inspired by DriverAtlas by splintersfury.
- Ghidra Data Type Archive for Windows drivers by Talos Intelligence.
MIT
"The Cthaeh does not lie. The Cthaeh sees the true shape of the world."