From def2ef4306d5b857af2260fdaab87084d04cf9a7 Mon Sep 17 00:00:00 2001
From: rabbitstack <rabbitstack7@gmail.com>
Date: Fri, 14 Mar 2025 18:31:16 +0100
Subject: [PATCH] fix(pe): Erratic driver identification

Prevent false positives such as ntdll.dll
because it has the PAGE section which is driver-typical.
---
 pkg/pe/parser.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/pkg/pe/parser.go b/pkg/pe/parser.go
index 462b73c08..32b381bb8 100644
--- a/pkg/pe/parser.go
+++ b/pkg/pe/parser.go
@@ -407,6 +407,12 @@ func parse(path string, data []byte, options ...Option) (*PE, error) {
 // driver samples may not contain an import directory, but section names may
 // reveal the PE is a kernel driver.
 func (pe *PE) isDriver() bool {
+	// Prevent false positives such as ntdll.dll
+	// because it has the PAGE section which is
+	// driver-typical
+	if pe.IsDLL {
+		return false
+	}
 	// DIRECTORY_ENTRY_IMPORT may exist, although it may be empty.
 	// If it imports from "ntoskrnl.exe" or other kernel components it should
 	// be a driver.