MagicSword
Back to Blog

Streamlining LOLDrivers Contributions Via Streamlit

This article shows how we used Streamlit to streamline contributions to LOLDrivers, making it easier for the community to submit and manage driver threat data. The update improves collaboration, simplifies workflow, and accelerates the growth of a robust Windows driver security resource.

June 18, 20252 min read
New LOLDriver App Upload Feature

Since its inception last year the LOLDrivers project has seen mass adoption through out the community, from users to vendors and all in between.

With the simple but powerful mission to shine a light on the obscure topic that is living of the land drivers abuse. Our aim was always to make the information accessible and actionable.

A couple of months my esteemed colleague and maintainer here at LOLDriver Michael Haag secretly announced the LOLDriver streamlit app in Splunk’s Coffee Talk with SURGe.

This app aims to help contributors and maintainers alike to ease the process of adding new drivers and YAML descriptors.

Today we’re happy to announce a couple new features that make this process even easier and welcome hopefully more contributors.

Let’s get started.

Uploading Your Driver

The first new update is probably the coolest quality of life that was added. It streamlines the contribution process completely by allowing users to upload a driver and enriching the YAML with all its juicy metadata on the fly with the click of a button.

In the background this uses the same enrichment script that’s used internally by the LOLDrivers repository. It collects all the info that’s required and by the end you’re left with a YAML that’s ready to be submitted in a PR :)

Blog image
Enriched YAML Output

Download Drivers Via VT

The second feature is even more streamlined and it doesn’t even require you to have the driver downloaded.

Say you reading a report and that report happens to be talking about some driver abuse, such as the “AuKill” EDR killer malware reported by Sophos.

This malware leverage a vulnerable process explorer driver and if we scroll down to the IOC list we can get a its hash.

cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc

With a simple VT search we can find the file there.

https://www.virustotal.com/gui/file/cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc

If you wanna contribute the file to LOLDrivers. The traditional approach would be

  • Download the file
  • Create YAML
  • Execute enrichment script on it
  • Submit PR

That’s a little bit too long for some, including us at LOLDrivers HQ. Using the new streamlit app feature, you’ll only need to provide your API key and a list of hashes and the magic is applied for you.

Blog image
That’s Not a Valid API Key

Conclusion

Hope this new features raised your excitement as it did for us and we hope to see even more contributions for the community.

Happy hunting ⚔️

Nasreddine Bencherchali

Written by

Nasreddine Bencherchali

Threat Hunting

Avid learner. Passionate about all things detection and in love with Windows Internals. With experience in threat hunting, incident response, malware analysis, code review, pentesting and digital forensics.

Continue Reading

View all
Magic Sword
Contact UsRefund PolicyPrivacy PolicyTerms of ServiceBlog

© 2025 MagicSword. All rights reserved.